<!DOCTYPE html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
	<title>Security privileges | ElasticSearch 7.7 权威指南中文版</title>
	<meta name="keywords" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <meta name="description" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
	<link rel="stylesheet" type="text/css" href="../static/styles.css" />
	<script>
	var _link = 'security-privileges.html';
    </script>
</head>
<body>
<div class="main-container">
    <section id="content">
        <div class="content-wrapper">
            <section id="guide" lang="zh_cn">
                <div class="container">
                    <div class="row">
                        <div class="col-xs-12 col-sm-8 col-md-8 guide-section">
                            <div style="color:gray; word-break: break-all; font-size:12px;">原英文版地址: <a href="https://www.elastic.co/guide/en/elasticsearch/reference/7.7/security-privileges.html" rel="nofollow" target="_blank">https://www.elastic.co/guide/en/elasticsearch/reference/7.7/security-privileges.html</a>, 原文档版权归 www.elastic.co 所有<br/>本地英文版地址: <a href="../en/security-privileges.html" rel="nofollow" target="_blank">../en/security-privileges.html</a></div>
                        <!-- start body -->
                  <div class="page_header">
<strong>重要</strong>: 此版本不会发布额外的bug修复或文档更新。最新信息请参考 <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html" rel="nofollow">当前版本文档</a>。
</div>
<div id="content">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="index.html">Elasticsearch Guide [7.7]</a></span>
»
<span class="breadcrumb-link"><a href="secure-cluster.html">Secure a cluster</a></span>
»
<span class="breadcrumb-link"><a href="authorization.html">User authorization</a></span>
»
<span class="breadcrumb-node">Security privileges</span>
</div>
<div class="navheader">
<span class="prev">
<a href="defining-roles.html">« Defining roles</a>
</span>
<span class="next">
<a href="document-level-security.html">Document level security »</a>
</span>
</div>
<div class="section xpack">
<div class="titlepage"><div><div>
<h2 class="title">
<a id="security-privileges"></a>Security privileges<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/authorization/privileges.asciidoc">edit</a><a class="xpack_tag" href="https://www.elastic.co/subscriptions"></a>
</h2>
</div></div></div>
<p>This section lists the privileges that you can assign to a role.</p>
<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="privileges-list-cluster"></a>Cluster privileges<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/authorization/privileges.asciidoc">edit</a>
</h3>
</div></div></div>
<div class="informaltable">
<table border="0" cellpadding="4px">
<colgroup>
<col>
<col>
</colgroup>
<tbody valign="top">
<tr>
<td valign="top">
<p>
<code class="literal">all</code>
</p>
</td>
<td valign="top">
<p>
All cluster administration operations, like snapshotting, node shutdown/restart,
settings update, rerouting, or managing users and roles.
</p>
</td>
</tr>
<tr>
<td valign="top">
<p>
<code class="literal">create_snapshot</code>
</p>
</td>
<td valign="top">
<p>
Privileges to create snapshots for existing repositories. Can also list and view
details on existing repositories and snapshots.
</p>
</td>
</tr>
<tr>
<td valign="top">
<p>
<code class="literal">monitor_snapshot</code>
</p>
</td>
<td valign="top">
<p>
Privileges to list and view details on existing repositories and snapshots.
</p>
</td>
</tr>
<tr>
<td valign="top">
<p>
<code class="literal">manage</code>
</p>
</td>
<td valign="top">
<p>
Builds on <code class="literal">monitor</code> and adds cluster operations that change values in the cluster.
This includes snapshotting, updating settings, and rerouting. It also includes
obtaining snapshot and restore status. This privilege does not include the
ability to manage security.
</p>
</td>
</tr>
<tr>
<td valign="top">
<p>
<code class="literal">manage_api_key</code>
</p>
</td>
<td valign="top">
<p>
</p>
<p>
All security-related operations on Elasticsearch API keys including
<a class="xref" href="security-api-create-api-key.html" title="Create API key API">creating new API keys</a>,
<a class="xref" href="security-api-get-api-key.html" title="Get API key information API">retrieving information about API keys</a>, and
<a class="xref" href="security-api-invalidate-api-key.html" title="Invalidate API key API">invalidating API keys</a>.
</p>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
When you create new API keys, they will always be owned by the authenticated
user.
</li>
<li class="listitem">
When you have this privilege, you can invalidate your own API keys and those
owned by other users.
</li>
</ul>
</div>
</div>
</div>

</td>
</tr>
<tr>
<td valign="top">
<p>
<code class="literal">manage_ccr</code>
</p>
</td>
<td valign="top">
<p>
All cross-cluster replication operations related to managing follower indices and auto-follow
patterns. It also includes the authority to grant the privileges necessary to
manage follower indices and auto-follow patterns. This privilege is necessary
only on clusters that contain follower indices.
</p>
</td>
</tr>
<tr>
<td valign="top">
<p>
<code class="literal">manage_transform</code>
</p>
</td>
<td valign="top">
<p>
All operations related to managing transforms.
</p>
</td>
</tr>
<tr>
<td valign="top">
<p>
<code class="literal">manage_ilm</code>
</p>
</td>
<td valign="top">
<p>
All index lifecycle management operations related to managing policies.
</p>
</td>
</tr>
<tr>
<td valign="top">
<p>
<code class="literal">manage_index_templates</code>
</p>
</td>
<td valign="top">
<p>
All operations on index templates.
</p>
</td>
</tr>
<tr>
<td valign="top">
<p>
<code class="literal">manage_ingest_pipelines</code>
</p>
</td>
<td valign="top">
<p>
All operations on ingest node pipelines.
</p>
</td>
</tr>
<tr>
<td valign="top">
<p>
<code class="literal">manage_ml</code>
</p>
</td>
<td valign="top">
<p>
</p>
<p>
All machine learning operations, such as creating and deleting datafeeds, jobs, and model
snapshots.
</p>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>Datafeeds that were created prior to version 6.2 or created when
security features were disabled run as a system user with elevated privileges,
including permission to read all indices. Newer datafeeds run with the security
roles of the user who created or updated them.</p>
</div>
</div>

</td>
</tr>
<tr>
<td valign="top">
<p>
<code class="literal">manage_own_api_key</code>
</p>
</td>
<td valign="top">
<p>
All security-related operations on Elasticsearch API keys that are owned by the current
authenticated user. The operations include
<a class="xref" href="security-api-create-api-key.html" title="Create API key API">creating new API keys</a>,
<a class="xref" href="security-api-get-api-key.html" title="Get API key information API">retrieving information about API keys</a>, and
<a class="xref" href="security-api-invalidate-api-key.html" title="Invalidate API key API">invalidating API keys</a>.
</p>
</td>
</tr>
<tr>
<td valign="top">
<p>
<code class="literal">manage_pipeline</code>
</p>
</td>
<td valign="top">
<p>
All operations on ingest pipelines.
</p>
</td>
</tr>
<tr>
<td valign="top">
<p>
<code class="literal">manage_rollup</code>
</p>
</td>
<td valign="top">
<p>
All rollup operations, including creating, starting, stopping and deleting
rollup jobs.
</p>
</td>
</tr>
<tr>
<td valign="top">
<p>
<code class="literal">manage_saml</code>
</p>
</td>
<td valign="top">
<p>
Enables the use of internal Elasticsearch APIs to initiate and manage SAML authentication
on behalf of other users.
</p>
</td>
</tr>
<tr>
<td valign="top">
<p>
<code class="literal">manage_security</code>
</p>
</td>
<td valign="top">
<p>
All security-related operations such as CRUD operations on users and roles and
cache clearing.
</p>
</td>
</tr>
<tr>
<td valign="top">
<p>
<code class="literal">manage_token</code>
</p>
</td>
<td valign="top">
<p>
All security-related operations on tokens that are generated by the Elasticsearch Token
Service.
</p>
</td>
</tr>
<tr>
<td valign="top">
<p>
<code class="literal">manage_watcher</code>
</p>
</td>
<td valign="top">
<p>
</p>
<p>
All watcher operations, such as putting watches, executing, activate or acknowledging.
</p>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>Watches that were created prior to version 6.1 or created when the
security features were disabled run as a system user with elevated privileges,
including permission to read and write all indices. Newer watches run with the
security roles of the user who created or updated them.</p>
</div>
</div>

</td>
</tr>
<tr>
<td valign="top">
<p>
<code class="literal">monitor</code>
</p>
</td>
<td valign="top">
<p>
All cluster read-only operations, like cluster health and state, hot threads,
node info, node and cluster stats, and pending cluster tasks.
</p>
</td>
</tr>
<tr>
<td valign="top">
<p>
<code class="literal">monitor_transform</code>
</p>
</td>
<td valign="top">
<p>
All read-only operations related to transforms.
</p>
</td>
</tr>
<tr>
<td valign="top">
<p>
<code class="literal">monitor_ml</code>
</p>
</td>
<td valign="top">
<p>
All read-only machine learning operations, such as getting information about datafeeds, jobs,
model snapshots, or results.
</p>
</td>
</tr>
<tr>
<td valign="top">
<p>
<code class="literal">monitor_rollup</code>
</p>
</td>
<td valign="top">
<p>
All read-only rollup operations, such as viewing the list of historical and
currently running rollup jobs and their capabilities.
</p>
</td>
</tr>
<tr>
<td valign="top">
<p>
<code class="literal">monitor_watcher</code>
</p>
</td>
<td valign="top">
<p>
All read-only watcher operations, such as getting a watch and watcher stats.
</p>
</td>
</tr>
<tr>
<td valign="top">
<p>
<code class="literal">read_ccr</code>
</p>
</td>
<td valign="top">
<p>
All read-only cross-cluster replication operations, such as getting information about indices and
metadata for leader indices in the cluster. It also includes the authority to
check whether users have the appropriate privileges to follow leader indices.
This privilege is necessary only on clusters that contain leader indices.
</p>
</td>
</tr>
<tr>
<td valign="top">
<p>
<code class="literal">read_ilm</code>
</p>
</td>
<td valign="top">
<p>
All read-only index lifecycle management operations, such as getting policies and checking the
status of index lifecycle management
</p>
</td>
</tr>
<tr>
<td valign="top">
<p>
<code class="literal">transport_client</code>
</p>
</td>
<td valign="top">
<p>
All privileges necessary for a transport client to connect.  Required by the remote
cluster to enable <a class="xref" href="cross-cluster-configuring.html" title="Cross cluster search and security">Cross Cluster Search</a>.
</p>
</td>
</tr>
</tbody>
</table>
</div>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="privileges-list-indices"></a>Indices privileges<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/authorization/privileges.asciidoc">edit</a>
</h3>
</div></div></div>
<div class="informaltable">
<table border="0" cellpadding="4px">
<colgroup>
<col>
<col>
</colgroup>
<tbody valign="top">
<tr>
<td valign="top">
<p>
<code class="literal">all</code>
</p>
</td>
<td valign="top">
<p>
Any action on an index
</p>
</td>
</tr>
<tr>
<td valign="top">
<p>
<code class="literal">create</code>
</p>
</td>
<td valign="top">
<p>
</p>
<p>
Privilege to index documents. Also grants access to the update mapping
action.
</p>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>This privilege does not restrict the index operation to the creation
of documents but instead restricts API use to the index API. The index API
allows a user to overwrite a previously indexed document. See the <code class="literal">create_doc</code>
privilege for an alternative.</p>
</div>
</div>

</td>
</tr>
<tr>
<td valign="top">
<p>
<code class="literal">create_doc</code>
</p>
</td>
<td valign="top">
<p>
</p>
<p>
Privilege to index documents. Also grants access to the update mapping action.
However, it does not enable a user to update existing documents.
</p>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>This privilege relies on the <code class="literal">op_type</code> of indexing requests (<a class="xref" href="docs-index_.html" title="Index API">Index</a> and
<a class="xref" href="docs-bulk.html" title="Bulk API">Bulk</a>). When ingesting documents as a user who has the <code class="literal">create_doc</code>
privilege (and no higher privilege such as <code class="literal">index</code> or <code class="literal">write</code>), you must ensure that
<em>op_type</em> is set to <em>create</em> through one of the following:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
Explicitly setting the <code class="literal">op_type</code> in the index or bulk APIs
</li>
<li class="listitem">
Using the <code class="literal">_create</code> endpoint for the index API
</li>
<li class="listitem">
Creating a document with an auto-generated <code class="literal">_id</code>
</li>
</ul>
</div>
</div>
</div>

</td>
</tr>
<tr>
<td valign="top">
<p>
<code class="literal">create_index</code>
</p>
</td>
<td valign="top">
<p>
Privilege to create an index. A create index request may contain aliases to be
added to the index once created. In that case the request requires the <code class="literal">manage</code>
privilege as well, on both the index and the aliases names.
</p>
</td>
</tr>
<tr>
<td valign="top">
<p>
<code class="literal">delete</code>
</p>
</td>
<td valign="top">
<p>
Privilege to delete documents.
</p>
</td>
</tr>
<tr>
<td valign="top">
<p>
<code class="literal">delete_index</code>
</p>
</td>
<td valign="top">
<p>
Privilege to delete an index.
</p>
</td>
</tr>
<tr>
<td valign="top">
<p>
<code class="literal">index</code>
</p>
</td>
<td valign="top">
<p>
Privilege to index and update documents. Also grants access to the update
mapping action.
</p>
</td>
</tr>
<tr>
<td valign="top">
<p>
<code class="literal">maintenance</code>
</p>
</td>
<td valign="top">
<p>
Permits refresh, flush, synced flush and force merge index administration operations.
No privilege to read or write index data or otherwise manage the index.
</p>
</td>
</tr>
<tr>
<td valign="top">
<p>
<code class="literal">manage</code>
</p>
</td>
<td valign="top">
<p>
All <code class="literal">monitor</code> privileges plus index administration (aliases, analyze, cache clear,
close, delete, exists, flush, mapping, open, force merge, refresh, settings,
search shards, templates, validate).
</p>
</td>
</tr>
<tr>
<td valign="top">
<p>
<code class="literal">manage_follow_index</code>
</p>
</td>
<td valign="top">
<p>
All actions that are required to manage the lifecycle of a follower index, which
includes creating a follower index, closing it, and converting it to a regular
index. This privilege is necessary only on clusters that contain follower indices.
</p>
</td>
</tr>
<tr>
<td valign="top">
<p>
<code class="literal">manage_ilm</code>
</p>
</td>
<td valign="top">
<p>
All index lifecycle management operations relating to managing the execution of policies of an index
This includes operations like retrying policies, and removing a policy
from an index.
</p>
</td>
</tr>
<tr>
<td valign="top">
<p>
<code class="literal">manage_leader_index</code>
</p>
</td>
<td valign="top">
<p>
All actions that are required to manage the lifecycle of a leader index, which
includes <a href="ccr-post-forget-follower.html" class="ulink" target="_top">forgetting a follower</a>. This
privilege is necessary only on clusters that contain leader indices.
</p>
</td>
</tr>
<tr>
<td valign="top">
<p>
<code class="literal">monitor</code>
</p>
</td>
<td valign="top">
<p>
All actions that are required for monitoring (recovery, segments info, index
stats and status).
</p>
</td>
</tr>
<tr>
<td valign="top">
<p>
<code class="literal">read</code>
</p>
</td>
<td valign="top">
<p>
Read-only access to actions (count, explain, get, mget, get indexed scripts,
more like this, multi percolate/search/termvector, percolate, scroll,
clear_scroll, search, suggest, tv).
</p>
</td>
</tr>
<tr>
<td valign="top">
<p>
<code class="literal">read_cross_cluster</code>
</p>
</td>
<td valign="top">
<p>
Read-only access to the search action from a <a class="xref" href="cross-cluster-configuring.html" title="Cross cluster search and security">remote cluster</a>.
</p>
</td>
</tr>
<tr>
<td valign="top">
<p>
<code class="literal">view_index_metadata</code>
</p>
</td>
<td valign="top">
<p>
Read-only access to index metadata (aliases, aliases exists, get index, exists, field mappings,
mappings, search shards, type exists, validate, warmers, settings, ilm). This
privilege is primarily available for use by Kibana users.
</p>
</td>
</tr>
<tr>
<td valign="top">
<p>
<code class="literal">write</code>
</p>
</td>
<td valign="top">
<p>
Privilege to perform all write operations to documents, which includes the
permission to index, update, and delete documents as well as performing bulk
operations. Also grants access to the update mapping action.
</p>
</td>
</tr>
</tbody>
</table>
</div>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="_run_as_privilege"></a>Run as privilege<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/authorization/privileges.asciidoc">edit</a>
</h3>
</div></div></div>
<p>The <code class="literal">run_as</code> permission enables an authenticated user to submit requests on
behalf of another user. The value can be a user name or a comma-separated list
of user names. (You can also specify users as an array of strings or a YAML
sequence.) For more information, see
<a class="xref" href="run-as-privilege.html" title="Submitting requests on behalf of other users">Submitting Requests on Behalf of Other Users</a>.</p>
</div>

<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="application-privileges"></a>Application privileges<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/authorization/privileges.asciidoc">edit</a>
</h3>
</div></div></div>
<p>Application privileges are managed within Elasticsearch and can be retrieved with the
<a class="xref" href="security-api-has-privileges.html" title="Has privileges API">has privileges API</a> and the
<a class="xref" href="security-api-get-privileges.html" title="Get application privileges API">get application privileges API</a>. They do
not, however, grant access to any actions or resources within Elasticsearch. Their
purpose is to enable applications to represent and store their own privilege
models within Elasticsearch roles.</p>
<p>To create application privileges, use the
<a class="xref" href="security-api-put-privileges.html" title="Create or update application privileges API">add application privileges API</a>. You can
then associate these application privileges with roles, as described in
<a class="xref" href="defining-roles.html" title="Defining roles">Defining roles</a>.</p>
</div>

</div>
<div class="navfooter">
<span class="prev">
<a href="defining-roles.html">« Defining roles</a>
</span>
<span class="next">
<a href="document-level-security.html">Document level security »</a>
</span>
</div>
</div>

                  <!-- end body -->
                        </div>
                        <div class="col-xs-12 col-sm-4 col-md-4" id="right_col">
                        
                        </div>
                    </div>
                </div>
            </section>
        </div>
    </section>
</div>
<script src="../static/cn.js"></script>
</body>
</html>